Analyzing Prefetch Files For Execution History
Investigate which programs ran on a Windows host by interpreting Prefetch artifacts during incident response or malware triage.
Overview
Analyzing Prefetch Files for Execution History is an agent skill for the Ship phase that helps interpret Windows Prefetch artifacts to infer recent program execution during security investigations.
Install
npx skills add https://github.com/mukul975/anthropic-cybersecurity-skills --skill analyzing-prefetch-files-for-execution-historyWhat is this skill?
- Interprets Windows Prefetch (.pf) records to reconstruct program execution timelines
- Supports security investigations where process logs are missing or tampered
- Fits agent-assisted forensic workflows alongside other Anthropic cybersecurity skills
- Apache 2.0–licensed skill package suitable for audit and IR playbooks
- Outputs execution-history narrative suitable for post-incident reports
Adoption & trust: 1 installs on skills.sh; 14.9k GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
What problem does it solve?
You suspect malicious or unknown software ran on a Windows machine but lack reliable process logs or EDR history.
Who is it for?
Solo builders or tiny teams doing Windows endpoint triage, malware homework, or audit support with agent assistance.
Skip if: Linux-only stacks, cloud-only forensics without Windows hosts, or teams that need certified chain-of-custody tooling instead of agent-guided analysis.
When should I use this skill?
You need to infer recent program execution on Windows using Prefetch artifacts during a security or IR review.
What do I get? / Deliverables
You produce a defensible execution-history narrative from Prefetch data that you can fold into a security report or next-step containment plan.
- Execution-history summary from Prefetch interpretation
- Notes for security report or follow-up containment
Recommended Skills
Journey fit
Execution-history forensics sits in Ship under security because solo builders and small teams use it when hardening or investigating a machine before or after release—not during greenfield feature work. Security subphase is the canonical shelf for Windows artifact analysis skills that answer “what executed here?” without folding them into generic monitoring dashboards.
How it compares
Use for Windows artifact forensics rather than generic “scan my repo for secrets” security skills.
Common Questions / FAQ
Who is analyzing-prefetch-files-for-execution-history for?
Indie developers, security-curious solo founders, and small teams investigating Windows endpoints who want structured Prefetch interpretation via Claude Code, Cursor, or similar agents.
When should I use analyzing-prefetch-files-for-execution-history?
During Ship-phase security work: post-incident triage on a dev laptop, validating what ran on a build VM, or supplementing logs before you ship updates from a compromised-suspect machine.
Is analyzing-prefetch-files-for-execution-history safe to install?
Review the Security Audits panel on this Prism page and the upstream repo license; forensics skills may imply handling sensitive host data—run only on systems you own or are authorized to examine.
SKILL.md
READMESKILL.md - Analyzing Prefetch Files For Execution History
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to the Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by the Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of